Finding the digital smoking gun

In every epic Hollywood Perry Mason-like dramatic courtroom case, there is always that smoking gun, the “ah-ha” moment – the ubiquitous document waived by a prosecutor in front of an unsuspecting witness who then emotionally admits to taking part in crime. In reality, those surprise moments rarely occur. But, cell phones message can provide critical information in cases and often provide the missing link to prove a compelling argument that can synch the case.

Take for example, when actor Stephen Baldwin sued fellow actor Kevin Costner back in 2012 over a failed business deal. The lawsuit concerned accusations that he cheated Baldwin out of millions of dollars in a lucrative BP contract for oil-cleaning machines. Attorneys in the case turned over his phone for a forensic exam. According to gigaom.com, the phone sweep turned up old text messages that Baldwin’s lawyers put before a jury to claim that Costner knew more than he said he did.

Most forensic experts contend that in the digital age, that mobile phones have replaced computers as the most important source for digital data – evidence that rarely can be permanently erased. The process of discovery is the pre-trial stage when both sides collect and exchange pertinent information for the case as they prepare for the trial. Years ago, it meant turning over filings cabinets and boxes but today, discovery usually involved computers, hard-drives servers and mobile phones.

“A lot of the time, the smoking gun is on the cell phone because people are a lot more liberal when texting than on a corporate computer. They’re a lot more off-color when texting,” says Clint Shirley, a partner at New Orleans e-discovery firm Clarity Litigation. He told gigaom.com that at least half of the company’s work involves phones rather than computers. Shirley adds that cell phones are significant piece of evidence, and in some cases, forensic examiners have recovered tens of thousands of messages and emails. Typically, attorneys will subpoena a person of interest’s email and have a forensic expert “sweep” the phone for evidence. The evidence can be so significant, according to Shirley, because “mobile phones are so significant not only because people are less discreet on their phones, but also because phones can store far more information” than in previous years. While people of interest have to present their cell phones by court order so they can be forensically examined, why they don’t simply delete any kind of incriminating evidence prior to handing it over?

Not only is it illegal under the discovery process, and courts order both sides to preserve all relevant evidence.

The second reason is technical. Namely, deleting those damning texts or emails doesn’t mean the firms sweeping the phone won’t find them all the same. Lars Daniel, an examiner at Guardian Digital Forensics, who has testified in scores of cases, says one can’t simply delete a text message or email and destroy it. Other versions of the message remains stored within deeper layers of the phone. However, data can be effectively destroyed if the device has a “factory reset.” A factory reset wipes out the device’s existing encryption key, meaning that even if a file has survived, the phone will no longer be able to read it.

A factory reset will purge data but investigators still can, however, find the date of the reset — a potentially incriminating piece of evidence in and of itself.